Do you share your computer with other people either at work or at home? Then you're no doubt all too aware of one undeniable fact of human psychology: People are individuals with minds of their own! One person prefers Windows in a black-and-purple color scheme; another person just loves that annoying Peace wallpaper; yet another person prefers to have a zillion shortcuts on the Windows desktop; and, of course, everybody uses a different mix of applications. How can you possibly satisfy all those diverse tastes and prevent people from coming to blows?

It's a lot easier than you might think. Windows Vista lets you set up a different user account for each person who uses the computer. A user account is a username (and an optional password) that uniquely identifies a person who uses the system. The user account enables Windows Vista to control the user's privileges; that is, the user's access to system resources (permissions) and the user's ability to run system tasks (rights). Standalone and workgroup machines use local user accounts that are maintained on the computer, whereas domain machines use global user accounts that are maintained on the domain controller. This chapter looks at local user accounts.

Understanding Security Groups

Security for Windows Vista user accounts is handled mostly (and most easily) by assigning each user to a particular security group. For example, the built-in Administrator account and the user account you created during the Windows Vista setup process are part of the Administrators group. Each security group is defined with a specific set of permissions and rights, and any user added to a group is automatically granted that group's permissions and rights. There are two main security groups:

Administrators—Members of this group have complete control over the computer, meaning they can access all folders and files, install and uninstall programs (including legacy programs) and devices, create, modify, and remove user accounts, install Windows updates, service packs, and fixes, use Safe mode, repair Windows, take ownership of objects, and more.

Users—Members of this group (also known as Standard Users) can access files only in their own folders and in the computer's shared folders, change their account's password, picture, and run programs and install programs that don't require administrative-level rights.

In addition to those groups, Windows Vista also defines up to 11 others that you'll use less often. Note that the permissions assigned to these groups are automatically assigned to members of the Administrators group. This means that if you have an administrator account, you don't also have to be a member of any other group in order to perform the task's specific to that group. Here's the list of groups:

Backup Operators—Members of this group can access the Backup program and use it to back up and restore folders and files, no matter what permissions are set on those objects.

Cryptographic Operators—Members of this group can perform cryptographic tasks.

Distributed COM Users—Members of this group can start, activate, and use Distributed COM (DCOM) objects.

Guests—Members of this group have the same privileges as those of the Users group. The exception is the default Guest account, which is not allowed to change its account password.

IIS_USRS—Members of this group can work with a remote Internet Information Server.

Network Configuration Operators—Members of this group have a subset of the Administrator-level rights that enables them to install and configure networking features.

Performance Log Users—Members of this group can use the Windows Performance Diagnostic Console snap-in to monitor performance counters, logs, and alerts, both locally and remotely.

Performance Monitor Users—Members of this group can use the Windows Performance Diagnostic Console snap-in to monitor performance counters only, both locally and remotely.

Power Users—Members of this group (also known as Standard Users) have a subset of the Administrator group privileges. Power Users can't back up or restore files, replace system files, take ownership of files, or install or remove device drivers. In addition, Power Users can't install applications that explicitly require the user to be a member of the Administrators group.

Remote Desktop Users—Members of this group can log on to the computer from a remote location using the Remote Desktop feature.

Replicator—Members of this group can replicate files across a domain.

Each user is also assigned a user profile that contains all the user's folders and files, as well as the user's Windows settings. The folders and files are stored in \%SystemDrive%\Users\user, where user is the username; for the current user, this folder is designated by the %UserProfile% variable. This location contains a number of subfolders that hold the user's document folders (Documents, Pictures, Music, and so on), desktop icons and subfolders (Desktop), Internet Explorer favorites (Favorites), contacts (Contacts), saved searches (Searches), and more.

There are also a number of user folders within the hidden %UserProfile%\AppData folder that contain the user's application data. Some are in %UserProfile%\AppData\Local, whereas others are in %UserProfile%\AppData\Roaming (supposedly because they'll be used with a roaming profile—a network-based user profile that enables you to log on to any computer and see your profile data. Table 6.1 lists some of the more important of these application data subfolders.